Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: at76c50x: fix use after free access in at76_disconnect<br /> <br /> The memory pointed to by priv is freed at the end of at76_delete_device<br /> function (using ieee80211_free_hw). But the code then accesses the udev<br /> field of the freed object to put the USB device. This may also lead to a<br /> memory leak of the usb device. Fix this by using udev from interface.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered<br /> <br /> Russell King reports that a system with mv88e6xxx dereferences a NULL<br /> pointer when unbinding this driver:<br /> https://lore.kernel.org/netdev/Z_lRkMlTJ1KQ0kVX@shell.armlinux.org.uk/<br /> <br /> The crash seems to be in devlink_region_destroy(), which is not NULL<br /> tolerant but is given a NULL devlink global region pointer.<br /> <br /> At least on some chips, some devlink regions are conditionally registered<br /> since the blamed commit, see mv88e6xxx_setup_devlink_regions_global():<br /> <br /> if (cond &amp;&amp; !cond(chip))<br /> continue;<br /> <br /> These are MV88E6XXX_REGION_STU and MV88E6XXX_REGION_PVT. If the chip<br /> does not have an STU or PVT, it should crash like this.<br /> <br /> To fix the issue, avoid unregistering those regions which are NULL, i.e.<br /> were skipped at mv88e6xxx_setup_devlink_regions_global() time.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path<br /> <br /> In the for loop used to allocate the loc_array and bmap for each port, a<br /> memory leak is possible when the allocation for loc_array succeeds,<br /> but the allocation for bmap fails. This is because when the control flow<br /> goes to the label free_eth_finfo, only the allocations starting from<br /> (i-1)th iteration are freed.<br /> <br /> Fix that by freeing the loc_array in the bmap allocation error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: openvswitch: fix nested key length validation in the set() action<br /> <br /> It&amp;#39;s not safe to access nla_len(ovs_key) if the data is smaller than<br /> the netlink header. Check that the attribute is OK first.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mctp: Set SOCK_RCU_FREE<br /> <br /> Bind lookup runs under RCU, so ensure that a socket doesn&amp;#39;t go away in<br /> the middle of a lookup.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll()<br /> <br /> rpl is passed as a pointer to ethtool_cmis_module_poll(), so the correct<br /> size of rpl is sizeof(*rpl) which should be just 1 byte. Using the<br /> pointer size instead can cause stack corruption:<br /> <br /> Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ethtool_cmis_wait_for_cond+0xf4/0x100<br /> CPU: 72 UID: 0 PID: 4440 Comm: kworker/72:2 Kdump: loaded Tainted: G OE 6.11.0 #24<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: Dell Inc. PowerEdge R760/04GWWM, BIOS 1.6.6 09/20/2023<br /> Workqueue: events module_flash_fw_work<br /> Call Trace:<br /> <br /> panic+0x339/0x360<br /> ? ethtool_cmis_wait_for_cond+0xf4/0x100<br /> ? __pfx_status_success+0x10/0x10<br /> ? __pfx_status_fail+0x10/0x10<br /> __stack_chk_fail+0x10/0x10<br /> ethtool_cmis_wait_for_cond+0xf4/0x100<br /> ethtool_cmis_cdb_execute_cmd+0x1fc/0x330<br /> ? __pfx_status_fail+0x10/0x10<br /> cmis_cdb_module_features_get+0x6d/0xd0<br /> ethtool_cmis_cdb_init+0x8a/0xd0<br /> ethtool_cmis_fw_update+0x46/0x1d0<br /> module_flash_fw_work+0x17/0xa0<br /> process_one_work+0x179/0x390<br /> worker_thread+0x239/0x340<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xcc/0x100<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x2d/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btrtl: Prevent potential NULL dereference<br /> <br /> The btrtl_initialize() function checks that rtl_load_file() either<br /> had an error or it loaded a zero length file. However, if it loaded<br /> a zero length file then the error code is not set correctly. It<br /> results in an error pointer vs NULL bug, followed by a NULL pointer<br /> dereference. This was detected by Smatch:<br /> <br /> drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to &amp;#39;ERR_PTR&amp;#39;

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()<br /> <br /> devm_kasprintf() returns NULL when memory allocation fails. Currently,<br /> avs_component_probe() does not check for this case, which results in a<br /> NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: Purge vif txq in ieee80211_do_stop()<br /> <br /> After ieee80211_do_stop() SKB from vif&amp;#39;s txq could still be processed.<br /> Indeed another concurrent vif schedule_and_wake_txq call could cause<br /> those packets to be dequeued (see ieee80211_handle_wake_tx_queue())<br /> without checking the sdata current state.<br /> <br /> Because vif.drv_priv is now cleared in this function, this could lead to<br /> driver crash.<br /> <br /> For example in ath12k, ahvif is store in vif.drv_priv. Thus if<br /> ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif-&gt;ah can be<br /> NULL, leading the ath12k_warn(ahvif-&gt;ah,...) call in this function to<br /> trigger the NULL deref below.<br /> <br /> Unable to handle kernel paging request at virtual address dfffffc000000001<br /> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]<br /> batman_adv: bat0: Interface deactivated: brbh1337<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [dfffffc000000001] address between user and kernel address ranges<br /> Internal error: Oops: 0000000096000004 [#1] SMP<br /> CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114<br /> Hardware name: HW (DT)<br /> pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k]<br /> lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k]<br /> sp : ffffffc086ace450<br /> x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4<br /> x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e<br /> x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0<br /> x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958<br /> x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8<br /> x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03<br /> x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40<br /> x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0<br /> x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001<br /> x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008<br /> Call trace:<br /> ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P)<br /> ieee80211_handle_wake_tx_queue+0x16c/0x260<br /> ieee80211_queue_skb+0xeec/0x1d20<br /> ieee80211_tx+0x200/0x2c8<br /> ieee80211_xmit+0x22c/0x338<br /> __ieee80211_subif_start_xmit+0x7e8/0xc60<br /> ieee80211_subif_start_xmit+0xc4/0xee0<br /> __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0<br /> ieee80211_subif_start_xmit_8023+0x124/0x488<br /> dev_hard_start_xmit+0x160/0x5a8<br /> __dev_queue_xmit+0x6f8/0x3120<br /> br_dev_queue_push_xmit+0x120/0x4a8<br /> __br_forward+0xe4/0x2b0<br /> deliver_clone+0x5c/0xd0<br /> br_flood+0x398/0x580<br /> br_dev_xmit+0x454/0x9f8<br /> dev_hard_start_xmit+0x160/0x5a8<br /> __dev_queue_xmit+0x6f8/0x3120<br /> ip6_finish_output2+0xc28/0x1b60<br /> __ip6_finish_output+0x38c/0x638<br /> ip6_output+0x1b4/0x338<br /> ip6_local_out+0x7c/0xa8<br /> ip6_send_skb+0x7c/0x1b0<br /> ip6_push_pending_frames+0x94/0xd0<br /> rawv6_sendmsg+0x1a98/0x2898<br /> inet_sendmsg+0x94/0xe0<br /> __sys_sendto+0x1e4/0x308<br /> __arm64_sys_sendto+0xc4/0x140<br /> do_el0_svc+0x110/0x280<br /> el0_svc+0x20/0x60<br /> el0t_64_sync_handler+0x104/0x138<br /> el0t_64_sync+0x154/0x158<br /> <br /> To avoid that, empty vif&amp;#39;s txq at ieee80211_do_stop() so no packet could<br /> be dequeued after ieee80211_do_stop() (new packets cannot be queued<br /> because SDATA_STATE_RUNNING is cleared at this point).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: cros-ec-tunnel: defer probe if parent EC is not present<br /> <br /> When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent<br /> device will not be found, leading to NULL pointer dereference.<br /> <br /> That can also be reproduced by unbinding the controller driver and then<br /> loading i2c-cros-ec-tunnel module (or binding the device).<br /> <br /> [ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058<br /> [ 271.998215] #PF: supervisor read access in kernel mode<br /> [ 272.003351] #PF: error_code(0x0000) - not-present page<br /> [ 272.008485] PGD 0 P4D 0<br /> [ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI<br /> [ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5<br /> [ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC<br /> [ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021<br /> [ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]<br /> [ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9<br /> [ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282<br /> [ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000<br /> [ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00<br /> [ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000<br /> [ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000<br /> [ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10<br /> [ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000<br /> [ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0<br /> [ 272.129155] Call Trace:<br /> [ 272.131606] <br /> [ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110<br /> [ 272.137985] platform_probe+0x69/0xa0<br /> [ 272.141652] really_probe+0x152/0x310<br /> [ 272.145318] __driver_probe_device+0x77/0x110<br /> [ 272.149678] driver_probe_device+0x1e/0x190<br /> [ 272.153864] __driver_attach+0x10b/0x1e0<br /> [ 272.157790] ? driver_attach+0x20/0x20<br /> [ 272.161542] bus_for_each_dev+0x107/0x150<br /> [ 272.165553] bus_add_driver+0x15d/0x270<br /> [ 272.169392] driver_register+0x65/0x110<br /> [ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]<br /> [ 272.182617] do_one_initcall+0x110/0x350<br /> [ 272.186543] ? security_kernfs_init_security+0x49/0xd0<br /> [ 272.191682] ? __kernfs_new_node+0x1b9/0x240<br /> [ 272.195954] ? security_kernfs_init_security+0x49/0xd0<br /> [ 272.201093] ? __kernfs_new_node+0x1b9/0x240<br /> [ 272.205365] ? kernfs_link_sibling+0x105/0x130<br /> [ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0<br /> [ 272.214773] ? kernfs_activate+0x57/0x70<br /> [ 272.218699] ? kernfs_add_one+0x118/0x160<br /> [ 272.222710] ? __kernfs_create_file+0x71/0xa0<br /> [ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110<br /> [ 272.232033] ? internal_create_group+0x453/0x4a0<br /> [ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0<br /> [ 272.241355] ? __free_frozen_pages+0x1dc/0x420<br /> [ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0<br /> [ 272.250505] ? load_module+0x1509/0x16f0<br /> [ 272.254431] do_init_module+0x60/0x230<br /> [ 272.258181] __se_sys_finit_module+0x27a/0x370<br /> [ 272.262627] do_syscall_64+0x6a/0xf0<br /> [ 272.266206] ? do_syscall_64+0x76/0xf0<br /> [ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90<br /> [ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d<br /> [ 272.279887] RIP: 0033:0x7b9309168d39<br /> [ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8<br /> [ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 000<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check<br /> <br /> The function dpu_plane_virtual_atomic_check was dereferencing pointers<br /> returned by drm_atomic_get_plane_state without checking for errors. This<br /> could lead to undefined behavior if the function returns an error pointer.<br /> <br /> This commit adds checks using IS_ERR to ensure that plane_state is<br /> valid before dereferencing them.<br /> <br /> Similar to commit da29abe71e16<br /> ("drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed").<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/643132/